ClawHub

Feishu Send Msg

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This skill is meant to send Feishu messages, but its broad activation wording and inconsistent permission/privacy guidance make accidental or misunderstood sending too plausible.

Review this skill before installing. It appears non-executable and purpose-aligned, but it should clarify whether messages are sent as a bot or user, narrow activation to explicit send requests, and require confirmation before sending message text or open_id values to Feishu.

SkillSpector (3)

By NVIDIA

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The skill gives conflicting security and permission guidance: one section says sending may require user authorization and the `im:message.send_as_user` permission, while another says no token or user authorization is needed and that delivery happens as a bot. This ambiguity can cause an agent or operator to choose an incorrect trust or permission model, potentially sending messages under the wrong identity assumptions or requesting excessive permissions.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The trigger phrases are broad and generic, which increases the chance the skill activates when a user casually mentions Feishu messaging rather than intending to invoke an external-send action. In an agent setting, unintended invocation can result in accidental message transmission to third parties, especially because the skill is action-oriented and affects external systems.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill does not clearly warn that both message content and the recipient's `open_id` will be transmitted to Feishu, an external service. Without an explicit disclosure, users may unknowingly share sensitive text or identifiers outside the current environment, creating privacy and data-handling risks.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal